tags:

views:

122

answers:

3
+1  Q: 

Best way to protect url so that only defined party can interact each other

I have jsp/struts application need to upgrade.

Currently we only have 1 websystem(branch) and now I need to upgrade and build another websystem that represent HQ. HQ and branches are different domain. HQ can see 4 branches in the HQ page. We need to login to access HQ and branches. If HQ want to see the details in branch A, we can click on the link such as 

Total attack : <a href="https://www.branch_A.com/xxx/sss/?sss=333"&gt;105&lt;/a&gt;

My Question is how to protect the URL so that the communication can only be done by HQ and branch_A.com server securely? If we use that URL from another IP it should display unauthorized message.

I have done to control the IP using request.getRemoteAddr() in the branch but it is not enough secured.

Can anyone help me to give ideas on how to protect this url?

A: 

I'd look at using client (and server) SSL certificates. There are guides for doing this under Apache and IIS (or use a search engine for whatever set up you have)

David Dorward  2010-01-22 09:36:11
+1  A: 

use .htaccess to restrict incoming IP? or config in httpd.conf/virtual host. even firewall?

sth like:

order allow,deny    
deny from 123.45.6.7
deny from 012.34.5.
allow from all
joetsuihk  2010-01-22 09:39:36
It seems another ip cannot access it if we control using this .htaccess.Forgot to add more info... The branch itself can access from any place(only access that branch).But from HQ, i will put some flag/status in the url to say that is access from HQ
Joe Ijam  2010-01-22 09:52:01
+2  A: 

We need to login

So you already have a login system. As you're already asking this question, it sounds like a homegrown login system, otherwise you could just have configured the container managed authentication to check certain url-patterns for any logged-in users/roles.

You basically just need to check the logged-in user whenever specific url-patterns are been requested. A Filter is perfectly suitable for this. Let's assume that your homegrown login system puts the logged-in user in the session scope, the Filter then just need to test its presence:

if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
    chain.doFilter(request, response); // User is present. Just continue request.
} else {
    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED); // Error 401.
}

Map this Filter in web.xml on an url-pattern matching the requests you'd like to be filtered on the logged-in user. You can even go a step further by adding an user role and if the logged-in user has the right role to visit the URL.

BalusC  2010-01-22 11:37:35

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java